A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Similar Podcasts
Thinking Elixir Podcast
The Thinking Elixir podcast is a weekly show where we talk about the Elixir programming language and the community around it. We cover news and interview guests to learn more about projects and developments in the community.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
SANS Stormcast Tuesday, August 26th, 2025: Decoding Word Reading Location; Image Downscaling AI Vulnerability; IBM Jazz Team Server Vuln
Reading Location Position Value in Microsoft Word Documents Jessy investigated how Word documents store the last visited document location in the registry. https://isc.sans.edu/diary/Reading%20Location%20Position%20Value%20in%20Microsoft%20Word%20Documents/32224 Weaponizing image scaling against production AI systems AI systems often downscale images before processing them. An attacker can create a harmless looking image that would reveal text after downscaling leading to prompt injection https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/ IBM Jazz Team Server Vulnerability CVE-2025-36157 IBM patched a critical vulnerability in its Jazz Team Server https://www.ibm.com/support/pages/node/7242925
SANS Stormcast Monday, August 25th, 2025: IP Cleanup; Linux Desktop Attacks; Malicious Go SSH Brute Forcer; Onmicrosoft Domain Restrictions
The end of an era: Properly formatted IP addresses in all of our data. When initiall designing DShield, addresses were zero padded , an unfortunate choice. As of this week, datafeeds should no longer be zero padded . https://isc.sans.edu/diary/The%20end%20of%20an%20era%3A%20Properly%20formated%20IP%20addresses%20in%20all%20of%20our%20data./32228 .desktop files used in an attack against Linux Desktops Pakistani attackers are using .desktop files to target Indian Linux desktops. https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/ Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram A go module advertising its ability to quickly brute force passwords against random IP addresses, has been used to exfiltrate credentials from the person running the module. https://socket.dev/blog/malicious-go-module-disguised-as-ssh-brute-forcer-exfiltrates-credentials Limiting Onmicrosoft Domain Usage for Sending Emails Microsoft is limiting how many emails can be sent by Microsoft 365 users using the onmicrosoft.com domain. https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4446167
SANS Stormcast Friday, August 22nd, 2025: The -n switch; Commvault Exploit; Docker Desktop Escape Vuln;
Don't Forget The "-n" Command Line Switch Disabling reverse DNS lookups for IP addresses is important not just for performance, but also for opsec. Xavier is explaining some of the risks. https://isc.sans.edu/diary/Don%27t%20Forget%20The%20%22-n%22%20Command%20Line%20Switch/32220 watchTowr releases details about recent Commvault flaws Users of the Commvault enterprise backup solution must patch now after watchTowr released details about recent vulnerabilities https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/?123 Docker Desktop Vulnerability CVE-2025-9074 A vulnerability in Docker Desktop allows attackers to escape from containers to attack the host. https://docs.docker.com/desktop/release-notes/#4443
SANS Stormcast Thursday, August 21st, 2025: Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking
Airtel Router Scans and Mislabeled Usernames A quick summary of some odd usernames that show up in our honeypot logs https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216 Apple Patches 0-Day CVE-2025-43300 Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO. https://support.apple.com/en-us/124925 Microsoft Copilot Audit Logs A user retrieving data via copilot obscures the fact that the user may have had access to data in a specific file https://pistachioapp.com/blog/copilot-broke-your-audit-log Password Managers Susceptible to Clickjacking Many password managers are susceptible to clickjacking, and only few have fixed the problem so far https://marektoth.com/blog/dom-based-extension-clickjacking/
SANS Stormcast Wednesday, August 20th, 2025: Increased Elasticsearch Scans; MSFT Patch Issues
Increased Elasticsearch Recognizance Scans Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard. https://isc.sans.edu/diary/Increased%20Elasticsearch%20Recognizance%20Scans/32212 Microsoft Patch Tuesday Issues Microsoft noted some issues deploying the most recent patches with WSUS. There are also issues with certain SSDs if larger files are transferred. https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3635msgdesc https://www.tomshardware.com/pc-components/ssds/latest-windows-11-security-patch-might-be-breaking-ssds-under-heavy-workloads-users-report-disappearing-drives-following-file-transfers-including-some-that-cannot-be-recovered-after-a-reboot SAP Vulnerabilities Exploited CVE-2025-31324, CVE-2025-42999 Details explaining how to take advantage of two SAP vulnerabilities were made public https://onapsis.com/blog/new-exploit-for-cve-2025-31324/
SANS Stormcast Tuesday, August 19th, 2025: MFA Bombing; Cisco Firewall Management Vuln; F5 Access for Android Vuln;
Keeping an Eye on MFA Bombing Attacks Attackers will attempt to use authentication fatigue by bombing users with MFA authentication requests. Rob is talking in this diary about how to investigate these attacks in a Microsoft ecosystem. https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208 Critical Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability An OS command injection vulnerability may be abused to gain access to the Cisco Secure Firewall Management Center software. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79 F5 Access for Android vulnerability An attacker with a network position that allows them to intercept network traffic may be able to read and/or modify data in transit. The attacker would need to intercept vulnerable clients specifically, since other clients would detect the man-in-the-middle (MITM) attack. https://my.f5.com/manage/s/article/K000152049
SANS Stormcast Monday, August 18th, 2025: 5G Attack Framework; Plex Vulnerability; Fortiweb Exploit; Flowise Vuln
SNI5GECT: Sniffing and Injecting 5G Traffic Without Rogue Base Stations Researchers from the Singapore University of Technology and Design released a new framework, SNI5GECT, to passively sniff and inject traffic into 5G data streams, leading to DoS, downgrade and other attacks. https://isc.sans.edu/diary/SNI5GECT%3A%20Sniffing%20and%20Injecting%205G%20Traffic%20Without%20Rogue%20Base%20Stations/32202 Plex Vulnerability Plex patched a vulnerability in the Plex Media Server. Make sure you have updated to at least 1.42.1. https://forums.plex.tv/t/plex-media-server-security-update/928341 FortiWeb Exploit Public A security researcher published details about the recent FortiWeb vulnerability, including demonstrating a PoC exploit. https://www.bleepingcomputer.com/news/security/researcher-to-release-exploit-for-full-auth-bypass-on-fortiweb/ Flowise OS vulnerability https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/
SANS Stormcast Friday, August 15th, 2025: Analysing Attack with AI; Proxyware via YouTube; Xerox FreeFlow Vuln; Evaluating Zero Trust @SANS_edu
AI and Faster Attack Analysis A few use cases for LLMs to speed up analysis https://isc.sans.edu/diary/AI%20and%20Faster%20Attack%20Analysis%20%5BGuest%20Diary%5D/32198 Proxyware Malware Being Distributed on YouTube Video Download Site Popular YouTube download sites will attempt to infect users with proxyware. https://asec.ahnlab.com/en/89574/ Xerox Freeflow Core Vulnerability Horizon3.ai discovered XXE Injection (CVE-2025-8355) and Path Traversal (CVE-2025-8356) vulnerabilities in Xerox FreeFlow Core, a print orchestration platform. These vulnerabilities are easily exploitable and enable unauthenticated remote attackers to achieve remote code execution on vulnerable FreeFlow Core instances. https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/ SANS.edu Research: Darren Carstensen Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing Not all Zero Trust Network Access (ZTNA) solutions are created equal, and despite bold marketing claims, many fall short of delivering proper Zero Trust security. https://www.sans.edu/cyber-research/evaluating-zero-trust-network-access-framework-comparative-security-testing/
SANS Stormcast Thursday, August 14th, 2025: Equation Editor; Kerberos Patch; XZ-Utils Backdoor; ForitSIEM/FortiWeb patches
CVE-2017-11882 Will Never Die The (very) old equation editor vulnerability is still being exploited, as this recent sample analyzed by Xavier shows. The payload of the Excel file attempts to download and execute an infostealer to exfiltrate passwords via email. https://isc.sans.edu/diary/CVE-2017-11882%20Will%20Never%20Die/32196 Windows Kerberos Elevation of Privilege Vulnerability Yesterday, Microsoft released a patch for a vulnerability that had already been made public. This vulnerability refers to the privilege escalation taking advantage of a path traversal issue in Windows Kerberos affecting Exchange Server in hybrid mode. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779 Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images Some old Debian Docker images containing the xz-utils backdoor are still available for download from Docker Hub via the official Debian account. https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images FortiSIEM / FortiWeb Vulnerablities Fortinet patched already exploited vulnerabilities in FortiWeb and FortiSIEM https://fortiguard.fortinet.com/psirt/FG-IR-25-152 https://fortiguard.fortinet.com/psirt/FG-IR-25-448
SANS Stormcast Wednesday, August 13th, 2025: Microsoft Patch Tuesday; libarchive vulnerability upgrade; Adobe Patches
Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20August%202025%20Patch%20Tuesday/32192 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/ libarchive Vulnerability A libarchive vulnerability patched in June was upgraded from a low CVSS score to a critical one. Libarchive is used by compression software across various operating systems, making this a difficult vulnerability to patch https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc Adobe Patches Adobe released patches for 13 different products. https://helpx.adobe.com/security/Home.html
SANS Stormcast Tuesday, August 12th, 2025: Erlang OTP SSH Exploits (Palo Alto Networks); Winrar Exploits; Netscaler Exploits; OpenSSH Pushing PQ Crypto;
Erlang OTP SSH Exploits A recently patched and easily exploited vulnerability in Erlang/OTP SSH is being exploited. Palo Alto collected some of the details about this exploit activity that they observed. https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ WinRAR Exploited WinRAR vulnerabilities are actively being exploited by a number of threat actors. The vulnerability allows for the creation of arbitrary files as the archive is extracted. https://thehackernews.com/2025/08/winrar-zero-day-under-active.html Citrix Netscaler Exploit Updates The Dutch Center for Cyber Security is updating its guidance on recent Citrix Netscaler attacks. Note that the attacks started before a patch became available, and attackers are actively hiding their tracks to make it more difficult to detect a compromise. https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler-flaw-cve-2025-6543-exploited-to-breach-orgs/ OpenSSH Post Quantum Encryption Starting in version 10.1, OpenSSH will warn users if they are using quantum-unsafe algorithms https://www.openssh.com/pq.html
SANS Stormcast Monday, August 11th, 2025: Fake Tesla Preorders; Bad USB Cameras; Win-DoS Epidemic
Google Paid Ads for Fake Tesla Websites Someone is setting up fake Tesla lookalike websites that attempt to collect credit card data from unsuspecting users trying to preorder Tesla products. https://isc.sans.edu/diary/Google%20Paid%20Ads%20for%20Fake%20Tesla%20Websites/32186 Compromising USB Devices for Persistent Stealthy Access USB devices, like Linux-based web cams, can be compromised to emulate malicious USB devices like keyboards that inject malicious commands. https://eclypsium.com/blog/badcam-now-weaponizing-linux-webcams/ Win-DoS Epidemic: A crash course in abusing RPC for Win-DoS & Win-DDoS Internet-exposed DCs can be used in very powerful DoS attacks. https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60389
SANS Stormcast Friday, August 8th, 2025:: ASN43350 Mass Scans; HTTP1.1 Must Die; Hyprid Exchange Vuln; Sonicwall Update; SANS.edu Research: OSS Security and Shifting Left
Mass Internet Scanning from ASN 43350 Our undergraduate intern Duncan Woosley wrote up aggressive scans from ASN 43350 https://isc.sans.edu/diary/Mass+Internet+Scanning+from+ASN+43350+Guest+Diary/32180/#comments HTTP/1.1 Desync Attacks Portswigger released details about new types of HTTP/1.1 desync attacks it uncovered. These attacks are particularly critical for organizations using middleboxes to translate from HTTP/2 to HTTP/1.1 https://portswigger.net/research/http1-must-die Microsoft Warns of Exchange Server Vulnerability An attacker with admin access to an Exchange Server in a hybrid configuration can use this vulnerability to gain full domain access. The issue is mitigated by an April hotfix, but was not noted in the release of the April Hotfix. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786 Sonicwall Update Sonicwall no longer believes that a new vulnerability was used in recent compromises https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430 SANS.edu Research: Wellington Rampazo, Shift Left the Awareness and Detection of Developers Using Vulnerable Open-Source Software Components https://www.sans.edu/cyber-research/shift-left-awareness-detection-developers-using-vulnerable-open-source-software-components/
SANS Stormcast Thursday, August 7th, 2025: Sextortion Update; Adobe and Trend Micro release emergency patches
Do Sextortion Scams Still Work in 2025? Jan looked at recent sextortion emails to check if any of the crypto addresses in these emails received deposits. Sadly, some did, so these scams still work. https://isc.sans.edu/diary/Do%20sextortion%20scams%20still%20work%20in%202025%3F/32178 Akira Ransomware Group s use of Drivers Guidepoint Security observed the Akira ransomware group using specific legitimate drivers for privilege escalation https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/ Adobe Patches Critical Experience Manager Vulnerability Adobe released emergency patches for a vulnerability in Adobe Experience Manager after a PoC exploit was made public. https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/ https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html Trend Micro Apex One Vulnerability Trend Micro released an emergency patch for an actively exploited pre-authentication remote code execution vulnerability in the Apex One management console. https://success.trendmicro.com/en-US/solution/KA-0020652
SANS Stormcast Wednesday, August 6th, 2025: Machinekeys and VIEWSTATEs; Perplexity Unethical Learning; SonicWall Updates
Stealing Machinekeys for fun and profit (or riding the SharePoint wave) Bojan explains in detail how .NET uses Machine Keys to protect the VIEWSTATE, and how to abuse the VIEWSTATE for code execution if the Machine Keys are lost. https://isc.sans.edu/diary/Stealing%20Machine%20Keys%20for%20fun%20and%20profit%20%28or%20riding%20the%20SharePoint%20wave%29/32174 Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives Perplexity will change its User Agent, or use different originating IP addresses, if it detects being blocked from scanning websites https://blog.cloudflare.com/perplexity-is-using-stealth-undeclared-crawlers-to-evade-website-no-crawl-directives/ Gen 7 SonicWall Firewalls SSLVPN Recent Threat Activity Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled. https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430